An important part of HTTPS Inspection support is the validation of the server's certificates from the signing Certificate Authority (CA).

Note: when HTTPS Categorization (HTTPS Light) is enabled, the trusted CA list is also used.

A Security Gateway with enabled HTTPS Inspection has a built-in predefined list of trusted CAs, based on the Microsoft updated TrustedCA list.

Updates are released based on changes in the recommended CA list.

This article describes how to:

• Perform a manual update of Trusted CAs
• Configure a Security Management Server to check if updates to Trusted CAs are necessary

To configure a Security Management Server to update trust CAs automatically, see sk173629 - How to update trusted CAs automatically.

Performing a manual update of Trusted CAs on a Management Server

1. Download the Trusted CAs package.

   Software Subscription or Active Support plan is required to download this package.

2. Upload the Trusted CAs package to the Management Server.

   On a Management Server R80 and higher:

   Show / Hide this section
   

   1. Connect with SmartConsole to Security Management Server / Domain Management Server.

   2. From the left navigation panel, click Manage & Setting.

   3. Click Blades.

   4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

   5. Click the Trusted CAs section.

   6. At the top, click Actions > select Update certificate list... > browse for and select the ZIP file with certificates > click Open.

   7. Save the changes and close SmartDashboard.

   8. In SmartConsole, install the Access Control Policy on the Security Gateways.

   On a Management Server R77.30 and lower:

   Show / Hide this section
   

   1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

   2. Go to the Application & URL Filtering tab.

   3. Expand the Advanced section.

   4. Expand the HTTPS Inspection section.

   5. Click on the Trusted CAs section.

   6. At the top, click Actions button > select Update certificate list... > browse for and selected the ZIP file with certificates > click Open.

      

   7. Install policy on the Security Gateways.

Enabling automatic update checks for Trusted CAs on a Management Server

Note: Updates are only checked automatically. They must be installed manually.

On a Management Server R80 and higher:

Show / Hide this section

1. Connect with SmartConsole to Security Management Server / Domain Management Server.

2. From the left navigation panel, click Manage & Setting.

3. Click Blades.

4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

5. Click the Trusted CAs section.

6. At the bottom of this page, check the box Notify when a Trusted CA and Blacklist update file is available for installation.

   If there is an available update, then this message appears: "A Trusted CA and Blacklist update has been downloaded"

7. Save the changes and close SmartDashboard.

8. In SmartConsole, install the Access Control Policy on the Security Gateways.

On a Management Server R77.30 and lower:

Show / Hide this section

1. Connect with SmartDashboard to the Security Management Server / Domain Management Server.

2. Go to the Application & URL Filtering tab.

3. Expand the Advanced section.

4. Expand the HTTPS Inspection section.

5. Click the Trusted CAs section.

6. At the bottom of this page, check the box Notify when a Trusted CA and Blacklist update file is available for installation.

   If there is an available update, then this message appears: "A Trusted CA and Blacklist update has been downloaded"

7. Click Install now.

8. Install policy on the Security Gateway.

Related Solutions:

• sk173629 - How to update trusted CAs automatically

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.